The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Peventing malicious code input with clean_html?

Hi all,

I'd like people to be able to submit code in a textarea form field but also prevent them from posting malicious code.

At the moment, I use a regular expression to prevent code being posted, and the only option in my newbie repertoire to allow code to be posted is to ask the poster to convert selected characters into their equivalent entity references--which, of course, is a burden on the poster.

I stumbled on a reference to clean_html. Would that be a useful option here, and if so, how is it used for this purpose?

Or is there a better option?

I stumbled on clean_html while looking through the FormMail.cgi script (which I don't use, BTW):

So far I've tried out htmlentities, and it worked nicely, although only if I got rid of the regex for that field. Not sure what I need to check for now. As htmlentities come before the regex, should I leave out characters that htmlentities will (presumably) already have stripped out?

Also, htmlentities did not convert characters like { and $. Is there an equivalent function for php / css characters, by any chance?

Why do you need to filter out the dollar sign?
It doesn't have any reserved action in HTML.

So what are you doing with the submitted content?

Yes, I should have specified. This is just a form-to-email issue. No database involved. I want people to be able to post HTML and PHP code without leaving open the risk of malicious email injections etc.

I'm not really sure what extent I need to go to in order to avoid nasty stuff.